ProcessOne SiteCustomer Helpdesk and FeedbackFollow us on Twitter
 
   
1 of 2
1
Certificates from CAcert and StartSSL are rejected
Posted: 20 December 2010 01:12 PM   [ Ignore ]
Newbie
Rank
Total Posts:  4
Joined  2010-12-20

Hello,

i want to add a certificate signed by CAcert to my Domain. I tried both, class1 and class3 signed certificates. I tried the class3 certificate with and without intermediate CA included. Both were rejected because of an untrusted CA.

I also tried a free class1 XMPP certificate from StartSSL, that one was also rejected. I tried this also with and without intermediate CA included.

The exact error message was each time: “The certificate is not signed by a trusted authority. It is a self-signed certificate?”

So my question is, what kind of certificates can i use, or what could i have done wrong?

thanks,
Yannis

Profile
 
 
Posted: 20 December 2010 11:04 PM   [ Ignore ]   [ # 1 ]
Member
Avatar
RankRankRank
Total Posts:  63
Joined  2010-06-29

Hello Yannis,

unfortunately all the chained CA’s you have tried were not trusted by hosted.IM, although the certificate format probably was correct. I’ve added those certificate authorities to our system so you should be able to setup your ssl certificate as expected -assuming it is specified under pem format-.
Sorry for the inconveniences and thanks for your feedback.

Regards,

Juan Pablo

Profile
 
 
Posted: 23 December 2010 12:42 PM   [ Ignore ]   [ # 2 ]
Newbie
Rank
Total Posts:  4
Joined  2010-12-20

(my last message got not moderated through - the system thought it was spam, so i try again with modified links)


Hi Juan,

thanks for the quick response and for setting up those CAs, but i have still no luck adding my certificates, they still got rejected due to an untrusted CA.

I tried them with and without intermediate certificates, also with the root CA certificates included.

This time i also tried them on my Ubuntu Server, they work with ejabberd. Openssl verify says OK if i use the CAfile option pointing to a file that contains the CA certificates - that file may be the same certificate that is verified if it contains the complete chain.

The chains are as follows, for the CAcert [1] certificates:

Class 1 Root Certificate
..Class 3 Intermediate Certificate
....my certificate

and for the StartSSL [2] certificate:

StartCom Root CA
..Class 1 Intermediate Server CA
....my certificate

For now I’m okay with an invalid certificate, but it would be nice if i could use my own.

regards,
Yannis


[1] root.crt and class3.crt from http://www. cacert.org/?id=3
[2] ca.pem and sub.class1.server.ca.pem from http://startssl.com/certs/

Profile
 
 
Posted: 23 December 2010 02:37 PM   [ Ignore ]   [ # 3 ]
Member
Avatar
RankRankRank
Total Posts:  63
Joined  2010-06-29

Yannis,

I think it’s not a problem with the format, but I must inspect it. I’ll check it in more detail later and inform you when solved. Would you please send me a copy of your public certificate (no private key, of course) so I can see how it it is validated here?
Thank you and sorry for the inconveniences.

Profile
 
 
Posted: 23 December 2010 10:45 PM   [ Ignore ]   [ # 4 ]
Newbie
Rank
Total Posts:  4
Joined  2010-12-20

okay, i sent you a PM, thanks for looking into this.

Profile
 
 
Posted: 24 December 2010 04:37 PM   [ Ignore ]   [ # 5 ]
Member
Avatar
RankRankRank
Total Posts:  63
Joined  2010-06-29

Hello,

first of all, I’ve fixed a problem with the Certificate Authorities added last time. Now you shouldn’t receive any message related with untrusted certificates when they come from StartCom or CAcert.
Second, I’ve tried your certificates. The one issued by CAcert now is accepted as expected, but I can’t even parse the one issued by StartCom. It doesn’t have a valid DER encoding.
Would you please try if you see differences now?
Thank you.

Profile
 
 
Posted: 24 December 2010 06:02 PM   [ Ignore ]   [ # 6 ]
Newbie
Rank
Total Posts:  4
Joined  2010-12-20

yes, it’s working now.

I was was able to add both certificates, as long as i did not include the intermediate certificate - otherwise i got an error, saying that my private key did not match the public key.

Not sure why you could not parse the StartCom cert, i couldn’t find anything wrong with it.

So, i’m happy now! Thank you again for your support.

Profile
 
 
Posted: 19 January 2011 09:19 PM   [ Ignore ]   [ # 7 ]
Newbie
Rank
Total Posts:  3
Joined  2011-01-19

Juan,

I’m getting the same issue. I have a startssl certificate and my client keep saying invalid CA.

I had an ejabberd server and it was working perfectly.

My domain is wsartori.com.

Thanks,

Wagner Sartori Junior

Profile
 
 
Posted: 20 January 2011 02:59 PM   [ Ignore ]   [ # 8 ]
Moderator
RankRank
Total Posts:  38
Joined  2009-06-04

Hello Wagner,

that error message is when you try to upload your certificate to hosted.im, in the administration panel,  or is issued by your client when connecting?.

Profile
 
 
Posted: 20 January 2011 05:34 PM   [ Ignore ]   [ # 9 ]
Newbie
Rank
Total Posts:  3
Joined  2011-01-19

My jabber client(PSI) is saying this. I think I have to send the intermediate certificate as well but you don’t have a field to input this.

Profile
 
 
Posted: 20 January 2011 05:46 PM   [ Ignore ]   [ # 10 ]
Moderator
RankRank
Total Posts:  38
Joined  2009-06-04

Strange, this looks more like a client issue.  hosted.im accepted the certificate you uploaded,  and verified it ok. 
Now it simply serve it as-is to the connecting client, no further processing is done at the server side.

Your client machine is the same than the one you said worked well with ejabberd?  (may be it is missing your CA authority?) .
The domain is exactly the same as the one you had with ejabberd?.
Your computer date is ok?

Profile
 
 
Posted: 20 January 2011 06:14 PM   [ Ignore ]   [ # 11 ]
Newbie
Rank
Total Posts:  3
Joined  2011-01-19

Yes, everything the same. I just migrate my things to hosted.im. The certificate is the same, is all the same. My PC is a ubuntu 10.10 updated. If I connect on my old server(the service was down I started ejabberd) and connect the certificate is OK.

Profile
 
 
Posted: 20 January 2011 08:32 PM   [ Ignore ]   [ # 12 ]
Moderator
RankRank
Total Posts:  38
Joined  2009-06-04

Just as a final note,
the key issue as Wagner said was that we don’t had the full certificate chain (missed an intermediate certificate).  So we had to manually create it and assign to Wagner’s domain. 

We will work on making the certificate upload screen more friendly for these cases.

Profile
 
 
Posted: 14 January 2012 06:48 AM   [ Ignore ]   [ # 13 ]
Newbie
Rank
Total Posts:  2
Joined  2012-01-14

Is it possible to get these certificates displayed as trusted by now? I had to upload my certicficate as self-signed, it would be nice to see if everything worked.

Profile
 
 
Posted: 16 March 2013 11:40 AM   [ Ignore ]   [ # 14 ]
Newbie
Avatar
Rank
Total Posts:  4
Joined  2013-03-16

It seems the CAcert from RapidSSL is also not currently loaded on hosted.im - as was trying to add signed SSL keys for domain usage. Everytime I paste certificate and keys, hosted.im reports the certificate was not signed by a trusted authority. Certificate was actually generated by RapidSSL so I am guessing you do not have their CA loaded.

Please find it below:

——-BEGIN CERTIFICATE——-
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
——-END CERTIFICATE——-

Profile
 
 
Posted: 18 March 2013 03:52 PM   [ Ignore ]   [ # 15 ]
Member
Avatar
RankRankRank
Total Posts:  63
Joined  2010-06-29

Hello Lee,

indeed, hosted.IM is lacking the CA root from GeoTrust. I’ll update it and notify when ready.

Thanks for your feedback and sorry for the inconveniencies.

Profile
 
 
   
1 of 2
1